License: Creative Commons Attribution 3.0 Unported license (CC BY 3.0)
When quoting this document, please refer to the following
DOI: 10.4230/LIPIcs.ECOOP.2015.689
URN: urn:nbn:de:0030-drops-52435
URL: http://dagstuhl.sunsite.rwth-aachen.de/volltexte/2015/5243/
Go to the corresponding LIPIcs Volume Portal

Hauzar, David ; Kofron, Jan

Framework for Static Analysis of PHP Applications

pdf-format:
33.pdf (2 MB)

Abstract

Dynamic languages, such as PHP and JavaScript, are widespread and heavily used. They provide dynamic features such as dynamic type system, virtual and dynamic method calls, dynamic includes, and built-in dynamic data structures. This makes it hard to create static analyses, e.g., for automatic error discovery. Yet exploiting errors in such programs, especially in web applications, can have significant impacts. In this paper, we present static analysis framework for PHP, automatically resolving features common to dynamic languages and thus reducing the complexity of defining new static analyses. In particular, the framework enables defining value and heap analyses for dynamic languages independently and composing them automatically and soundly. We used the framework to implement static taint analysis for finding security vulnerabilities. The analysis has revealed previously unknown security problems in real application. Comparing to existing state-of-the-art analysis tools for PHP, it has found more real problems with a lower false-positive rate.

BibTeX - Entry

@InProceedings{hauzar_et_al:LIPIcs:2015:5243,
  author =	{David Hauzar and Jan Kofron},
  title =	{{Framework for Static Analysis of PHP Applications}},
  booktitle =	{29th European Conference on Object-Oriented Programming (ECOOP 2015)},
  pages =	{689--711},
  series =	{Leibniz International Proceedings in Informatics (LIPIcs)},
  ISBN =	{978-3-939897-86-6},
  ISSN =	{1868-8969},
  year =	{2015},
  volume =	{37},
  editor =	{John Tang Boyland},
  publisher =	{Schloss Dagstuhl--Leibniz-Zentrum fuer Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{http://drops.dagstuhl.de/opus/volltexte/2015/5243},
  URN =		{urn:nbn:de:0030-drops-52435},
  doi =		{10.4230/LIPIcs.ECOOP.2015.689},
  annote =	{Keywords: Static analysis, abstract interpretation, dynamic languages, PHP, security}
}

Keywords: Static analysis, abstract interpretation, dynamic languages, PHP, security
Collection: 29th European Conference on Object-Oriented Programming (ECOOP 2015)
Issue Date: 2015
Date of publication: 29.06.2015

DROPS-Home | Fulltext Search | Imprint | Privacy Published by LZI